CVE-2024-32048

Vulnerability

Overview

CVE-2024-32048 is an improper input validation vulnerability in the Intel(R) Distribution of OpenVINO(TM) Model Server software prior to version 2024.0. The flaw resides in how the server processes incoming requests, failing to adequately validate certain inputs. This oversight can be triggered by an unauthenticated attacker on the same network segment, leading to a denial of service (DoS) condition [1].

Exploitation

Prerequisites

An attacker must have adjacent network access to the affected server, meaning they are on the same local network or can reach the server via a directly connected link. No authentication is required to exploit the vulnerability, lowering the barrier to entry. The attack vector is over the network, and the complexity is low, as the attacker only needs to send specially crafted input to the model server's interface [1].

Impact

Successful exploitation results in a denial of service, potentially rendering the OpenVINO Model Server unavailable for legitimate inference requests. This can disrupt AI/ML workloads that depend on the server, affecting availability but not confidentiality or integrity. The CVSS v3 base score is 6.5 (Medium), reflecting the moderate impact and the need for adjacent access [1].

Mitigation

Intel has addressed this vulnerability in OpenVINO Model Server version 2024.0 and later. Users are advised to update to the latest release to mitigate the risk. No workarounds have been publicly documented, so upgrading is the recommended course of action [1].